From john.weeks at sun.com Tue Sep 2 00:27:22 2008 From: john.weeks at sun.com (john.weeks at sun.com) Date: Tue, 2 Sep 2008 00:27:22 -0700 (PDT) Subject: [fmac-notify] Added tag fmac_alpha2 for changeset acf11724ff3a Message-ID: <200809020727.m827RM4p021274@oss-app2.opensolaris.org> Author: John Weeks Repository: /hg/fmac/fmac-gate Latest revision: 96f412eecdc43d989e90ee6d870d1d98d69f218a Total changesets: 1 Log message: Added tag fmac_alpha2 for changeset acf11724ff3a Files: update: .hgtags From john.weeks at sun.com Tue Sep 2 00:43:56 2008 From: john.weeks at sun.com (John Weeks) Date: Tue, 02 Sep 2008 00:43:56 -0700 Subject: [fmac-notify] onnv_97/Alpha2 Message-ID: <48BCEEBC.3050205@sun.com> Sending this directly to the list since it was suppressed by the push. pushing to ssh://jweeks at hg.opensolaris.org/hg/fmac/fmac-gate searching for changes Are you sure you wish to push? [y/N]: y remote: adding changesets remote: adding manifests remote: adding file changes remote: added 1030 changesets with 8778 changes to 5954 files remote: Notification not sent: 500+ changesets suggests initial push. remote: Please contact tonic-ops at sun.com if you need to do this. From sds at tycho.nsa.gov Wed Sep 10 05:47:45 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Wed, 10 Sep 2008 05:47:45 -0700 (PDT) Subject: [fmac-notify] Basic process security context transition support Message-ID: <200809101247.m8ACljkd014769@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: a50b497f89fe42c0f115956e6f0d85918572fe66 Total changesets: 1 Log message: Basic process security context transition support Implement basic process security context transition support, leveraging the prior patch for file security contexts on executables. With this support and a suitable labeled filesystem and policy, processes will automatically transition into an appropriate security context when they execute a program based on the program file's security context, and a process may explicitly transition to a given security context if authorized via the already existing setexeccon() interface. This only implements the core logic for a transition; a number of other checks will be added later, such as a check to decide whether the linker security flag needs to be set on the transition, ptrace-related checking, checks on the inheritance of state such as open file descriptors, the normal file execute check applied via VOP_ACCESS, mmap/mprotect PROT_EXEC checks, etc. The checks applied here are: - If not transitioning, may the process execute the file without transitioning to a new security context (:file execute_no_trans)? - If transitioning, may the process transition to the new security context (:process transition) and may the new process security context be entered via a program with this file security context (:file entrypoint)? Changes since the prior version of this patch include: - setsecid changed from int to boolean_t, with B_TRUE and B_FALSE as values. Webrev available at: http://cr.opensolaris.org/~sds/exec/ Files: update: usr/src/uts/common/fmac/fmac.c update: usr/src/uts/common/os/exec.c update: usr/src/uts/common/sys/fmac/fmac.h From sds at tycho.nsa.gov Wed Sep 10 05:47:45 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Wed, 10 Sep 2008 05:47:45 -0700 (PDT) Subject: [fmac-notify] File contexts and policy changes Message-ID: <200809101247.m8ACljko014773@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 8367f05f6752151b5c5c0cced03869e4c4d07f51 Total changesets: 1 Log message: File contexts and policy changes This patch updates the file contexts and policy configurations to allow the preceding prototype file security context support and basic security context transition support to be demonstrated. After applying all three patches, one can do the following: $ setfiles /etc/security/fmac/file_contexts / $ getfilecon /sbin/init /usr/lib/ssh/sshd /bin/bash /sbin/init: system_u:object_r:init_exec_t /usr/lib/ssh/sshd: system_u:object_r:sshd_exec_t /bin/bash: system_u:object_r:shell_exec_t $ reboot and then upon logging into the system via ssh, the processes should have typical domains for the user shell, sshd daemon, and init processes: $ pcon $$ $PPID 1 : system_u:system_r:user_t:unclassified : system_u:system_r:sshd_t:unclassified 1: system_u:system_r:init_t:unclassified Webrev available at: http://cr.opensolaris.org/~sds/policy/ Files: update: usr/src/cmd/fmac/policy/assert.te update: usr/src/cmd/fmac/policy/domains/every.te update: usr/src/cmd/fmac/policy/domains/program/newrole.te update: usr/src/cmd/fmac/policy/domains/program/passwd.te update: usr/src/cmd/fmac/policy/domains/program/su.te update: usr/src/cmd/fmac/policy/domains/system/ftpd.te update: usr/src/cmd/fmac/policy/domains/system/init.te update: usr/src/cmd/fmac/policy/domains/system/login.te update: usr/src/cmd/fmac/policy/domains/system/rlogind.te update: usr/src/cmd/fmac/policy/domains/system/rshd.te update: usr/src/cmd/fmac/policy/domains/system/sshd.te update: usr/src/cmd/fmac/policy/file_contexts update: usr/src/cmd/fmac/policy/rbac update: usr/src/cmd/fmac/policy/types/file.te From sds at tycho.nsa.gov Wed Sep 10 05:47:44 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Wed, 10 Sep 2008 05:47:44 -0700 (PDT) Subject: [fmac-notify] Prototype file security context support Message-ID: <200809101247.m8ACli0Z014765@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: d58705eb5b5850903b30bef4efecd24261cbcbb0 Total changesets: 1 Log message: Prototype file security context support Implement prototype file security context support to enable progress on developing other parts of FMAC that depend on file security contexts until system attribute support in ZFS is reworked. In the kernel, introduce support for a "secctx" system attribute, fetch this attribute for existing files on the lookup code path and map to an incore vnode secid for internal use by FMAC, and compute and set this attribute and the incore vnode secid on the create and mkdir code paths. Current limitations of this prototype support include a 56-byte maximum length for the security context, inability to use both secctx and av_scanstamp together on a file, and inability to assign a security context to file types other than regular files and directories. In userland, introduce getfilecon() and setfilecon() libc interfaces and corresponding utilities for getting and setting the file security context. Also update the setfiles utility to use the new interfaces and to deal with the current limitation to regular files and directories. Changes from the first version of the patch include: - moving the resizing of the bonus buffer into zfs_xvattr_set(), thereby fixing the setting of the attribute on new files, - fixing libc_nvlist_alloc whitespace and error return, - moved vfs_has_feature check earlier in fmac_vnode_create(), - added comments to clarify certain aspects of the code New libc interfaces: int getfilecon(const char *path, char **secctxp); int setfilecon(const char *path, char *secctx); New utilities: getfilecon path... setfilecon context path... setfiles spec-file path... Example usage: /etc/shadow: system_u:object_r:shadow_t Webrev available at: http://cr.opensolaris.org/~sds/secctx/ Files: create: usr/src/cmd/fmac/getfilecon/Makefile create: usr/src/cmd/fmac/getfilecon/getfilecon.c create: usr/src/cmd/fmac/setfilecon/Makefile create: usr/src/cmd/fmac/setfilecon/setfilecon.c create: usr/src/lib/libc/port/gen/filecon.c update: usr/src/cmd/fmac/Makefile update: usr/src/cmd/fmac/policy/Makefile update: usr/src/cmd/fmac/setfiles/Makefile update: usr/src/cmd/fmac/setfiles/setfiles.c update: usr/src/common/fmac/ss/services.c update: usr/src/common/xattr/xattr_common.c update: usr/src/head/fmac/fmac.h update: usr/src/lib/libc/amd64/Makefile update: usr/src/lib/libc/i386/Makefile.com update: usr/src/lib/libc/inc/libc.h update: usr/src/lib/libc/port/gen/attrat.c update: usr/src/lib/libc/port/mapfile-vers update: usr/src/lib/libc/sparc/Makefile update: usr/src/lib/libc/sparcv9/Makefile update: usr/src/pkgdefs/SUNWcsr/prototype_com update: usr/src/pkgdefs/SUNWesu/prototype_com update: usr/src/uts/common/fmac/fmac.c update: usr/src/uts/common/fs/vnode.c update: usr/src/uts/common/fs/xattr.c update: usr/src/uts/common/fs/zfs/sys/zfs_znode.h update: usr/src/uts/common/fs/zfs/sys/zil.h update: usr/src/uts/common/fs/zfs/zfs_acl.c update: usr/src/uts/common/fs/zfs/zfs_log.c update: usr/src/uts/common/fs/zfs/zfs_replay.c update: usr/src/uts/common/fs/zfs/zfs_vnops.c update: usr/src/uts/common/fs/zfs/zfs_znode.c update: usr/src/uts/common/os/policy.c update: usr/src/uts/common/sys/attr.h update: usr/src/uts/common/sys/fmac/fmac.h update: usr/src/uts/common/sys/policy.h update: usr/src/uts/common/sys/vnode.h From sds at tycho.nsa.gov Fri Sep 12 10:50:12 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Fri, 12 Sep 2008 10:50:12 -0700 (PDT) Subject: [fmac-notify] [fmac-discuss] [PATCH 5/5] Mediate PROT_EXEC file mappings Message-ID: <200809121750.m8CHoC4W023720@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: d1beae49542c8e16a4a5b3e9c8bf9c9cf00eb173 Total changesets: 1 Log message: [fmac-discuss] [PATCH 5/5] Mediate PROT_EXEC file mappings Call fmac_vnode_access from mmap to mediate PROT_EXEC mappings of files. There are two cases: 1) Caller requested PROT_EXEC. In this case, we check execute access to the vnode, audit any denial and immediately return an error to the caller if access is not allowed. 2) Caller did not request PROT_EXEC. In this case, we check execute access to the vnode solely in order to set maxprot appropriately for later checking by mprotect. As the caller did not request it, we do not need to audit a lack of execute access or return an error to the caller on the mmap call. Handling of failure on the mprotect path will be handled via a separate patch. Controlling PROT_EXEC file mappings is part of the overall code execution controls provided by Flask/TE in order to bind specific domains to specific code vetted for that purpose. Files: update: usr/src/uts/common/os/grow.c From sds at tycho.nsa.gov Fri Sep 12 10:50:10 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Fri, 12 Sep 2008 10:50:10 -0700 (PDT) Subject: [fmac-notify] [fmac-discuss] [PATCH 1/5] Fix fmac_vnode_set_secctx Message-ID: <200809121750.m8CHoAlI023655@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 86bda13a9ce7cf5affd97fda54d887c2521a6392 Total changesets: 1 Log message: [fmac-discuss] [PATCH 1/5] Fix fmac_vnode_set_secctx Fix a bug in fmac_vnode_set_secctx: do not update the vnode secid if the permission checks failed. Files: update: usr/src/uts/common/fmac/fmac.c From sds at tycho.nsa.gov Fri Sep 12 10:50:11 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Fri, 12 Sep 2008 10:50:11 -0700 (PDT) Subject: [fmac-notify] [fmac-discuss] [PATCH 2/5] Add fmac_vfs_root Message-ID: <200809121750.m8CHoB0r023709@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: bc307d6758c315bf93c45c9b885797991aabcc9b Total changesets: 1 Log message: [fmac-discuss] [PATCH 2/5] Add fmac_vfs_root Add a fmac_vfs_root() function to set up root vnodes. Internally this applies fmac_vnode_lookup() to the root vnode to fetch its attribute and map it to an incore secid. Files: update: usr/src/uts/common/fmac/fmac.c update: usr/src/uts/common/fs/vfs.c update: usr/src/uts/common/sys/fmac/fmac.h From sds at tycho.nsa.gov Fri Sep 12 10:50:11 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Fri, 12 Sep 2008 10:50:11 -0700 (PDT) Subject: [fmac-notify] [fmac-discuss] [PATCH 3/5] Extend avc_audit() Message-ID: <200809121750.m8CHoBD6023712@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: dc052918a7e323867e914b458d34eb1414e3b655 Total changesets: 1 Log message: [fmac-discuss] [PATCH 3/5] Extend avc_audit() Extend avc_audit() to report pid, comm, and optionally path information in avc messages. This is helpful in debugging policy denials. This may be obsoleted later by integration of FMAC with audit. Files: update: usr/src/uts/common/fmac/avc.c update: usr/src/uts/common/sys/fmac/avc.h From sds at tycho.nsa.gov Fri Sep 12 10:50:12 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Fri, 12 Sep 2008 10:50:12 -0700 (PDT) Subject: [fmac-notify] [fmac-discuss] [PATCH 4/5] Add fmac_vnode_access Message-ID: <200809121750.m8CHoCo8023716@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: fc35b339abd8908c7d796d4842ccd34504351b24 Total changesets: 1 Log message: [fmac-discuss] [PATCH 4/5] Add fmac_vnode_access Add a FMAC hook in fop_access to mediate the file read / write / exec checks. This only introduces the regular mandatory access check; handling privileges is left for a later patch. For now, ignore file types other than regular files and directories since we only support labeling those two file types presently. Files: update: usr/src/uts/common/fmac/fmac.c update: usr/src/uts/common/fs/vnode.c update: usr/src/uts/common/sys/fmac/fmac.h From sds at tycho.nsa.gov Mon Sep 15 07:07:28 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Mon, 15 Sep 2008 07:07:28 -0700 (PDT) Subject: [fmac-notify] Mediate access to proc vnodes Message-ID: <200809151407.m8FE7SaY026595@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: f40998e41fac2261f2c3d12bb0c551f44b87a442 Total changesets: 1 Log message: Mediate access to proc vnodes Mediate access to the proc vnodes of another process. We will need further hooks elsewhere for complete coverage, e.g. praccess() allows certain proc files to be read by anyone. Result of running "truss passwd" as a root process running in the unprivileged user_t domain: avc: denied { ptrace } for scontext=system_u:system_r:user_t:unclassified tcontext=system_u:system_r:passwd_t:unclassified tclass=process pid=100779 comm=truss Files: update: usr/src/uts/common/fmac/fmac.c update: usr/src/uts/common/os/priv.c update: usr/src/uts/common/sys/fmac/fmac.h From sds at tycho.nsa.gov Tue Sep 16 11:58:49 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Tue, 16 Sep 2008 11:58:49 -0700 (PDT) Subject: [fmac-notify] Set linker security flag on security context transitions Message-ID: <200809161859.m8GIwnlj015134@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 831da5fa2b034582280b18b091fb1b15b37d2db7 Total changesets: 1 Log message: Set linker security flag on security context transitions When the calling domain is less trusted than the new domain, we want to set the linker security flag so that ld.so will not trust the caller. This is subject to policy via a process:execsetid permission check; if allowed, then the linker security flag is not set. We set the EXECSETID_UGIDS flag because that is what is checked by elfexec(). There appear to be no side effects from setting this flag. If desired, we could introduce our own flag value here, as with setting of PRIV_SETUGID flag by the base context transition support. If someone could explain the rationale for why PRIV_SETID is not the same as EXECSETID_SETID and why PRIV_SETUGID is not the same as EXECSETID_UGIDS in meaning, I would be appreciative. I find it vaguely maddening that setting PRIV_SETUGID in privflags causes EXECSETID_SETID to be set in setidfl and an actual identity change resulting from PRIV_SETID results in setting of EXECSETID_UGIDS, reversing the sense of the flag names. Perhaps this is just historical and deserves a code cleanup? Example of running "LD_PRELOAD=evil.o passwd" as root from a user_t shell: dmesg output: avc: denied { execsetid } for scontext=system_u:system_r:user_t:unclassified tcontext=system_u:system_r:passwd_t:unclassified tclass=process pid=100768 comm=sh Command output: ld.so.1: passwd: warning: ./evil.o: open failed: illegal insecure pathname Of course, if we allow this permission in policy, kernel mediation of the PROT_EXEC mapping will still prevent execution of unauthorized shared objects: dmesg output: avc: denied { execute } for scontext=system_u:system_r:passwd_t:unclassified tcontext=system_u:object_r:file_t:unclassified tclass=file pid=100768 comm=passwd path=/export/home/sds/evil.o Command output: ld.so.1: passwd: fatal: ./evil.o: Permission denied Killed Files: update: usr/src/uts/common/fmac/fmac.c update: usr/src/uts/common/os/exec.c update: usr/src/uts/common/sys/fmac/fmac.h From sds at tycho.nsa.gov Tue Sep 16 13:16:24 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Tue, 16 Sep 2008 13:16:24 -0700 (PDT) Subject: [fmac-notify] A few policy changes to help with getting a system functioning in Message-ID: <200809162016.m8GKGOVY008512@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: ff1aaba25d5716b2c44b4ec71a7d7b1812010b6a Total changesets: 1 Log message: A few policy changes to help with getting a system functioning in enforcing mode and to support ongoing work by John on pam unix_cred changes to set user session security contexts. Files: update: usr/src/cmd/fmac/policy/domains/admin/sysadm.te update: usr/src/cmd/fmac/policy/domains/system/initrc.te update: usr/src/cmd/fmac/policy/domains/system/sshd.te update: usr/src/cmd/fmac/policy/file_contexts update: usr/src/cmd/fmac/policy/macros.te update: usr/src/cmd/fmac/policy/rbac update: usr/src/cmd/fmac/policy/types/file.te update: usr/src/cmd/fmac/policy/users From sds at tycho.nsa.gov Wed Sep 17 13:11:17 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Wed, 17 Sep 2008 13:11:17 -0700 (PDT) Subject: [fmac-notify] Mediate create and link Message-ID: <200809172011.m8HKBHb4011494@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 19259f9725466dca28977ff59257e86e3694465f Total changesets: 1 Log message: Mediate create and link Apply directory and file permission checks on create and link operations. This extends the existing fmac_vnode_create() hook to apply dir:add_name and file:create permission checks and adds a new fmac_vnode_link() hook to apply dir:add_name and file:link permission checks. Other changes include: - pass the link name to audit for inclusion in avc messages, - fix memory leak of security context in fmac_vnode_create(), - pass the vnode to audit on the fmac_exec() checks so that path= info is included in avc messages. The issue of unifying this logic with the corresponding filesystem access checking is deferred to a future patch. Sample avc output with this patch applied: avc: denied { add_name } for scontext=user_u:user_r:user_t:unclassified tcontext=system_u:object_r:etc_t:unclassified tclass=dir pid=100779 comm=ln path=/etc name=foo avc: denied { link } for scontext=user_u:user_r:user_t:unclassified tcontext=system_u:object_r:shadow_t:unclassified tclass=file pid=100779 comm=ln path=/etc/shadow name=foo Files: update: usr/src/uts/common/fmac/avc.c update: usr/src/uts/common/fmac/fmac.c update: usr/src/uts/common/fs/vnode.c update: usr/src/uts/common/sys/fmac/avc.h update: usr/src/uts/common/sys/fmac/fmac.h From sds at tycho.nsa.gov Thu Sep 18 04:43:30 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Thu, 18 Sep 2008 04:43:30 -0700 (PDT) Subject: [fmac-notify] Mediate unlink and rmdir Message-ID: <200809181143.m8IBhUF8008602@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 9efedf76033331d8e35f3e79e477c46c0569d258 Total changesets: 1 Log message: Mediate unlink and rmdir Apply directory and file permission checks on unlink and rmdir operations. Since the target vnode is not available in the fop_ functions, we hook the zfs_zaccess_delete() function. This limits the checking to zfs only at present. We may revisit this later in reconsidering the division of labor between the vfs and the filesystem vnode operations. Files: update: usr/src/uts/common/fmac/fmac.c update: usr/src/uts/common/fs/zfs/zfs_acl.c update: usr/src/uts/common/sys/fmac/fmac.h From john.weeks at sun.com Thu Sep 18 07:55:10 2008 From: john.weeks at sun.com (john.weeks at sun.com) Date: Thu, 18 Sep 2008 07:55:10 -0700 (PDT) Subject: [fmac-notify] fmacsys_getprevcon calling wrong cred function Message-ID: <200809181455.m8IEtAEr000599@oss-app2.opensolaris.org> Author: John Weeks Repository: /hg/fmac/fmac-gate Latest revision: 3a3df6414bd243e013983cd542992d1578af3131 Total changesets: 1 Log message: fmacsys_getprevcon calling wrong cred function Files: update: usr/src/uts/common/syscall/fmacsys.c From sds at tycho.nsa.gov Thu Sep 18 09:40:35 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Thu, 18 Sep 2008 09:40:35 -0700 (PDT) Subject: [fmac-notify] Mediate rename Message-ID: <200809181640.m8IGeZnJ026434@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 85ca241b11988323784b514613dc0a88aff20ffa Total changesets: 1 Log message: Mediate rename Apply directory and file permission checks on rename operations. To allow a distinction between rename and unlink checking on the source vnode, the fmac_vnode_remove() hook in zfs_zaccess_delete() introduced by the prior patch is moved to zfs_remove() and zfs_rmdir(), and a separate fmac_vnode_rename() hook is added to zfs_rename(). As with the remove/rmdir hooks, we have to hook zfs presently for rename since the source and target vnodes are only available there. Sample AVC output on a mv /etc/shadow- /etc/shadow: avc: denied { remove_name } for scontext=user_u:user_r:user_t:unclassified tcontext=system_u:object_r:etc_t:unclassified tclass=dir pid=100813 comm=mv path=/etc avc: denied { rename } for scontext=user_u:user_r:user_t:unclassified tcontext=system_u:object_r:shadow_t:unclassified tclass=file pid=100813 comm=mv path=/etc/shadow- avc: denied { add_name } for scontext=user_u:user_r:user_t:unclassified tcontext=system_u:object_r:etc_t:unclassified tclass=dir pid=100813 comm=mv path=/etc avc: denied { unlink } for scontext=user_u:user_r:user_t:unclassified tcontext=system_u:object_r:shadow_t:unclassified tclass=file pid=100813 comm=mv path=/etc/shadow Files: update: usr/src/uts/common/fmac/fmac.c update: usr/src/uts/common/fs/zfs/zfs_acl.c update: usr/src/uts/common/fs/zfs/zfs_vnops.c update: usr/src/uts/common/sys/fmac/fmac.h From sds at tycho.nsa.gov Thu Sep 18 09:40:36 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Thu, 18 Sep 2008 09:40:36 -0700 (PDT) Subject: [fmac-notify] Mediate setting of attributes Message-ID: <200809181640.m8IGea9t026438@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: bc3a0d3a4dc989b15f85da39b22b399e8c8be473 Total changesets: 1 Log message: Mediate setting of attributes Apply file:setattr permission checks on setattr and setsecattr operations. We may wish to further distinguish these operations with different permissions in the future. Sample AVC output: avc: denied { setattr } for scontext=system_u:system_r:crond_t:unclassified tcontext=system_u:object_r:var_t:unclassified tclass=file pid=100324 comm=cron path=/var/cron/log Files: update: usr/src/uts/common/fmac/fmac.c update: usr/src/uts/common/fs/vnode.c update: usr/src/uts/common/sys/fmac/fmac.h From sds at tycho.nsa.gov Thu Sep 18 09:40:37 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Thu, 18 Sep 2008 09:40:37 -0700 (PDT) Subject: [fmac-notify] Merge getprevcon fix. Message-ID: <200809181640.m8IGebUk026442@oss-app2.opensolaris.org> Author: "Stephen Smalley " Repository: /hg/fmac/fmac-gate Latest revision: 6762da052ca5ff3a13c12b9a3e8504cbd01110e5 Total changesets: 1 Log message: Merge getprevcon fix. Files: From sds at tycho.nsa.gov Fri Sep 19 10:08:31 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Fri, 19 Sep 2008 10:08:31 -0700 (PDT) Subject: [fmac-notify] Policy changes Message-ID: <200809191708.m8JH8VLr027364@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: 3621a9b87ec504a0ca59de1b8ebacebcfb417dfe Total changesets: 1 Log message: Policy changes Various policy cleanups and changes to enable booting and logging into the system in enforcing mode (e.g. using -p enforcing on the kernel command line). In order to actually use, apply the patch, update your policy and file_contexts, relabel your filesystems, and then reboot. Note also that there is a dependency on the pam unix_cred changes for setting the user session security context. Files: update: usr/src/cmd/fmac/policy/Makefile update: usr/src/cmd/fmac/policy/assert.te update: usr/src/cmd/fmac/policy/domains/every.te update: usr/src/cmd/fmac/policy/domains/program/passwd.te update: usr/src/cmd/fmac/policy/domains/program/su.te update: usr/src/cmd/fmac/policy/domains/program/utempter.te update: usr/src/cmd/fmac/policy/domains/system/crond.te update: usr/src/cmd/fmac/policy/domains/system/inetd.te update: usr/src/cmd/fmac/policy/domains/system/init.te update: usr/src/cmd/fmac/policy/domains/system/kernel.te update: usr/src/cmd/fmac/policy/domains/system/sshd.te update: usr/src/cmd/fmac/policy/domains/system/syslogd.te update: usr/src/cmd/fmac/policy/domains/user/user.te update: usr/src/cmd/fmac/policy/file_contexts update: usr/src/cmd/fmac/policy/macros.te update: usr/src/cmd/fmac/policy/types/file.te From sds at tycho.nsa.gov Fri Sep 19 10:08:30 2008 From: sds at tycho.nsa.gov (sds at tycho.nsa.gov) Date: Fri, 19 Sep 2008 10:08:30 -0700 (PDT) Subject: [fmac-notify] Mediate some process operations Message-ID: <200809191708.m8JH8UM1027359@oss-app2.opensolaris.org> Author: Stephen Smalley Repository: /hg/fmac/fmac-gate Latest revision: e3677dd007787472b2ab9f1a1661d63c558ab071 Total changesets: 1 Log message: Mediate some process operations Mediate process operations that presently call *hasprocperm() by extending the existing interfaces to pass an access vector and inserting a fmac_hasprocperm() hook into hasprocperm(). Sample AVC output from kill `cat /var/run/sshd.pid`: avc: denied { signal } for scontext=user_u:user_r:user_t:unclassified tcontext=system_u:system_r:sshd_t:unclassified tclass=process pid=100763 comm=bash If we wanted to augment the avc message with the target pid, we might extend the hasprocperm() interface to optionally convey the target pid if available; then prochasprocperm() could pass that information from the proc_t. Files: update: usr/src/common/fmac/policy/flask/access_vectors update: usr/src/uts/common/brand/lx/syscall/lx_kill.c update: usr/src/uts/common/contract/process.c update: usr/src/uts/common/disp/class.c update: usr/src/uts/common/disp/priocntl.c update: usr/src/uts/common/fmac/fmac.c update: usr/src/uts/common/os/cpu.c update: usr/src/uts/common/os/cred.c update: usr/src/uts/common/os/klpd.c update: usr/src/uts/common/os/policy.c update: usr/src/uts/common/os/pool_pset.c update: usr/src/uts/common/os/sig.c update: usr/src/uts/common/sys/cred.h update: usr/src/uts/common/sys/fmac/fmac.h update: usr/src/uts/common/syscall/corectl.c update: usr/src/uts/common/syscall/lgrpsys.c update: usr/src/uts/common/syscall/pset.c From john.weeks at sun.com Sun Sep 28 22:33:08 2008 From: john.weeks at sun.com (john.weeks at sun.com) Date: Sun, 28 Sep 2008 22:33:08 -0700 (PDT) Subject: [fmac-notify] Set user's security context inpam_unix_cred.so.1 Message-ID: <200809290533.m8T5X8Q5006519@oss-app2.opensolaris.org> Author: John Weeks Repository: /hg/fmac/fmac-gate Latest revision: 65d34b90499c71faa2e991c0d2112ebc0c4ca9a1 Total changesets: 1 Log message: Set user's security context inpam_unix_cred.so.1 Files: update: usr/src/lib/pam_modules/unix_cred/unix_cred.c From john.weeks at sun.com Sun Sep 28 22:33:08 2008 From: john.weeks at sun.com (john.weeks at sun.com) Date: Sun, 28 Sep 2008 22:33:08 -0700 (PDT) Subject: [fmac-notify] gate merge Message-ID: <200809290533.m8T5X8Cu006522@oss-app2.opensolaris.org> Author: John Weeks Repository: /hg/fmac/fmac-gate Latest revision: 7ebd52db522740c8714087d1ccc9a60c49f417bb Total changesets: 1 Log message: gate merge Files: